Leave open the option of administrator acls.
[invirt/packages/invirt-web.git] / templates / getafsgroups.py
1 #!/usr/bin/python
2 import pprint
3 import subprocess
4
5 # import ldap
6 # l = ldap.open("W92-130-LDAP-2.mit.edu")
7 # # ldap.mit.edu is 1/2 broken right now so we're going to the working backend
8 # l.simple_bind_s("", "")
9
10 # def getLdapGroups(user):
11 #     """
12 #     getLdapGroups(user): returns a generator for the list of LDAP groups containing user
13 #     """
14 #     for user_data in l.search_s("ou=affiliates,dc=mit,dc=edu", ldap.SCOPE_ONELEVEL, "uid=" + user, []):
15 #         for group_data in l.search_s("ou=groups,dc=mit,dc=edu", ldap.SCOPE_ONELEVEL, "uniqueMember="+user_data[0], ['cn']):
16 #             yield group_data[1]['cn'][0]
17
18 # def checkLdapGroups(user, group):
19 #     """
20 #     checkLdapGroups(user, group): returns True if and only if user is in LDAP group group
21 #     """
22 #     for result_data in l.search_s("ou=affiliates,dc=mit,dc=edu", ldap.SCOPE_ONELEVEL, "uid=" + user, []):
23 #         if l.search_s("ou=groups,dc=mit,dc=edu", ldap.SCOPE_ONELEVEL, "(&(cn=" + group + ")(uniqueMember="+result_data[0] + "))", []) != []:
24 #             return True
25 #     return False
26
27 def checkAfsGroup(user, group, cell):
28     """
29     checkAfsGroup(user, group) returns True if and only if user is in AFS group group in cell cell
30     """
31     p = subprocess.Popen(["pts", "membership", group, '-c', cell], 
32                          stdout=subprocess.PIPE, stderr=subprocess.PIPE)
33     if p.wait():
34         return False
35     for line in p.stdout.readlines()[1:]:
36         if line.strip() == user:
37             return True
38     return False
39
40 def checkLockerOwner(user, locker, verbose=False):
41     """
42     checkLockerOwner(user, locker) returns True if and only if user administers locker
43     """
44     p = subprocess.Popen(["fs", "whichcell", "/mit/" + locker], 
45                          stdout=subprocess.PIPE, stderr=subprocess.PIPE)
46     if p.wait():
47         if verbose:
48             return p.stderr.read()
49         return False
50     cell = p.stdout.read().split()[-1][1:-1]
51     p = subprocess.Popen(["fs", "listacl", "/mit/" + locker], 
52                          stdout=subprocess.PIPE, stderr=subprocess.PIPE)
53     if p.wait():
54         if verbose:
55             return p.stderr.read()
56         return False
57     for line in p.stdout.readlines()[1:]:
58         entry = line.split()
59         if not entry or entry[0] == "Negative":
60             break
61         if entry[1] == "rlidwka":
62             if entry[0] == user or (entry[0][0:6] == "system" and 
63                                     checkAfsGroup(user, entry[0], cell)):
64                 return True
65     if verbose:
66         return "You don't have admin bits on /mit/" + locker
67     return False
68
69
70 if __name__ == "__main__":
71 #    print list(getldapgroups("tabbott"))
72     print checkAfsGroup("tabbott", "system:debathena", 'athena.mit.edu')
73     print checkAfsGroup("tabbott", "system:debathena", 'sipb.mit.edu')
74     print checkAfsGroup("tabbott", "system:debathena-root", 'athena.mit.edu')
75     print checkAfsGroup("tabbott", "system:hmmt-request", 'athena.mit.edu')
76     print checkLockerOwner("tabbott", "tabbott")
77     print checkLockerOwner("tabbott", "debathena")
78     print checkLockerOwner("tabbott", "sipb")
79     print checkLockerOwner("tabbott", "lsc")
80     print checkLockerOwner("tabbott", "scripts")
81     print checkLockerOwner("ecprice", "hmmt")